Java Servlet target Apache Tomcat Servers

A worm-like type of malicious software has been found targeting Apache Tomcat, an open-source Web server application, according to Symantec.

The malware, which Symantec calls “Java.Tomdep,” differs from other server malware as it’s not written in the PHP scripting language, wrote Takashi Katsuki in a blog post. Instead, it acts like a Java Servlet, a Java programming language class that’s designed to perform tasks for a web application. The malware servlet behaves like an IRC bot, receiving commands from an attacker, Katsuki wrote.

It can send and receive files, create new processes, update itself and conduct a UDP (user datagram protocol) flood, a type of DDoS (distributed denial-of-service) attack.

The command-and-control servers have been traced to Taiwan and Luxembourg, he wrote. End users who access web pages hosted on an infected Tomcat server are not affected by the malware.

Java.Tomdep also hunts for other Tomcat servers, trying a series of weak usernames and passwords. System administrators should use strong passwords for Tomcat machines and not open up the management port to public access.

Servers are rich targets for hackers since they run constantly and have high performance.

The malware doesn’t appear to be widespread, but Symantec has found infected machines in the U.S., Brazil, China, Italy, Sweden, Japan, South Korea, Vietnam and Malaysia.

If you run a TomCat server, it will be a good time to get a Vulnerability Assessment Test performed to see any loopholes in the server. Better safe than Sorry!